Bug 819123 - Requesting certificate on Android browser causes SIGSEGV on server
Requesting certificate on Android browser causes SIGSEGV on server
Status: CLOSED NEXTRELEASE
Product: Dogtag Certificate System
Classification: Community
Component: EE/Agent/Admin Servlets (Show other bugs)
9.0
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Dmitri Pal
Chandrasekar Kannan
:
Depends On:
Blocks: 760283
  Show dependency treegraph
 
Reported: 2012-05-04 18:40 EDT by Kenny Root
Modified: 2015-01-05 20:18 EST (History)
6 users (show)

See Also:
Fixed In Version: pki-common-8.1.4-1.el5pki redhat-pki-ca-ui-8.1.1-1.el5pki
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-08-28 21:42:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
crash dump (50.72 KB, text/plain)
2012-05-04 18:41 EDT, Kenny Root
no flags Details
patch eliminating CA crash (9.65 KB, patch)
2012-07-23 20:44 EDT, Andrew Wnuk
mharmsen: review+
Details | Diff

  None (edit)
Description Kenny Root 2012-05-04 18:40:39 EDT
User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.36 Safari/536.5

Requesting a certificate from an Android browser crashes the Dogtag server. Since this SIGSEGV happens based on client input, this is probably a remotely exploitable security problem.

Reproducible: Always

Steps to Reproduce:
1. Go to EE page in Android browser
2. Go to request a client certificate
3. Fill in fields, click on the Next> button
Actual Results:  
Dogtag server crashes with SIGSEGV in:

C  [libosutil.so+0x1666]  Java_com_netscape_osutil_OSUtil_AtoB+0x36

Expected Results:  
Certificate is generated and next page is displayed saying request has been filed.

Stack: [0x00007f2296dee000,0x00007f2296eef000],  sp=0x00007f2296eeca10,  free space=1018k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
V  [libjvm.so+0x4bbb19]  AsyncGetCallTrace+0xacf29
C  [libosutil.so+0x1666]  Java_com_netscape_osutil_OSUtil_AtoB+0x36
j  com.netscape.cmscore.apps.CMSEngine.AtoB(Ljava/lang/String;)[B+1
j  com.netscape.certsrv.apps.CMS.AtoB(Ljava/lang/String;)[B+4
j  com.netscape.cms.profile.common.EnrollProfile.parseKeyGen(Ljava/util/Locale;Ljava/lang/String;)Lnetscape/security/util/DerInputStream;+1
j  com.netscape.cms.profile.input.KeyGenInput.populate(Lcom/netscape/certsrv/profile/IProfileContext;Lcom/netscape/certsrv/request/IRequest;)V+146
j  com.netscape.cms.profile.common.BasicProfile.populateInput(Lcom/netscape/certsrv/profile/IProfileContext;Lcom/netscape/certsrv/request/IRequest;)V+37
j  com.netscape.cms.profile.common.EnrollProfile.populateInput(Lcom/netscape/certsrv/profile/IProfileContext;Lcom/netscape/certsrv/request/IRequest;)V+3
j  com.netscape.cms.servlet.profile.ProfileSubmitServlet.process(Lcom/netscape/cms/servlet/common/CMSRequest;)V+4502
Comment 1 Kenny Root 2012-05-04 18:41:19 EDT
Created attachment 582229 [details]
crash dump
Comment 2 Kenny Root 2012-05-04 18:42:09 EDT
Note that this JNI library appears to be removed in tip-of-tree dev branch.
Comment 3 Andrew Wnuk 2012-05-09 14:31:14 EDT
Kenny, Could you provide Dogtag version and Android browser name and version?
Comment 4 Andrew Wnuk 2012-05-09 14:36:44 EDT
and Android version too.
Comment 5 Kenny Root 2012-05-21 14:20:39 EDT
Sorry, I somehow missed your request for information.

I am using Dogtag from FC16 (e.g., pki-common-9.0.19-1.fc16.noarch)

The Android browser is the built-in Browser from a Galaxy Nexus on ICS 4.0.4.
Comment 6 Andrew Wnuk 2012-05-21 15:12:46 EDT
Do you remember enrollment type that you have selected?

Could try it again and attach piece of debug log related to this enrollment?
Comment 7 Andrew Wnuk 2012-05-22 13:37:49 EDT
I asked for fragment of file that is usually located
in /var/lib/pki-ca/logs/debug showing enrollment that you have performed.

You may edit this file to erase your private information.
If there is anything interesting related to this enrollment in other log files please attach corresponding file fragments too.

I also need enrollment type that you have selected from your browser
and preferably data entered during this enrollment.

I am not interested in your PKCS7 files.
Comment 9 Andrew Wnuk 2012-07-23 20:44:05 EDT
Created attachment 599880 [details]
patch eliminating CA crash
Comment 12 Andrew Wnuk 2012-07-24 14:46:18 EDT
git push
Counting objects: 43, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (21/21), done.
Writing objects: 100% (24/24), 3.08 KiB, done.
Total 24 (delta 19), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/pki.git
   6ff5c17..87c92d0  DOGTAG_9_BRANCH -> DOGTAG_9_BRANCH
Comment 13 Andrew Wnuk 2012-07-24 17:18:37 EDT
git push
Counting objects: 43, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (21/21), done.
Writing objects: 100% (24/24), 3.04 KiB, done.
Total 24 (delta 19), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/pki.git
   4e1010b..7168edc  master -> master
Comment 15 Andrew Wnuk 2012-08-27 16:42:02 EDT
git push
Counting objects: 19, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (8/8), done.
Writing objects: 100% (10/10), 770 bytes, done.
Total 10 (delta 7), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/pki.git
   a3af1af..6fa7797  DOGTAG_9_BRANCH -> DOGTAG_9_BRANCH
Comment 17 Niranjan Mallapadi Raghavender 2013-04-01 06:00:57 EDT
#--------------------------------------------------------#

Versions:
Name        : pki-ca                       Relocations: (not relocatable)
Version     : 8.1.1                             Vendor: Red Hat, Inc.
Release     : 1.ecc.el5pki                  Build Date: Tue 12 Mar 2013 03:00:56 PM EDT
Install Date: Wed 13 Mar 2013 05:05:43 PM EDT      Build Host: payday.dsdev.sjc.redhat.com
Group       : System Environment/Daemons    Source RPM: pki-ca-8.1.1-1.ecc.el5pki.src.rpm
Size        : 924349                           License: GPLv2 with exceptions

#--------------------------------------------------------#

Install and configure CA 
[root@nocp4 pki-ca-feb8-inst1-nocp4]# /etc/init.d/pki-ca-feb8-inst1-nocp4 status
pki-ca-feb8-inst1-nocp4 (pid 2208) is running ...

    Unsecure Port       = http://nocp4.dsdev.sjc.redhat.com:9180/ca/ee/ca
    Secure Agent Port   = https://nocp4.dsdev.sjc.redhat.com:9443/ca/agent/ca
    Secure EE Port      = https://nocp4.dsdev.sjc.redhat.com:9444/ca/ee/ca
    Secure Admin Port   = https://nocp4.dsdev.sjc.redhat.com:9445/ca/services
    EE Client Auth Port = https://nocp4.dsdev.sjc.redhat.com:9446/ca/eeca/ca
    PKI Console Port    = pkiconsole https://nocp4.dsdev.sjc.redhat.com:9445/ca
    Tomcat Port         = 9701 (for shutdown)

    PKI Instance Name:   pki-ca-feb8-inst1-nocp4

    PKI Subsystem Type:  Root CA (Security Domain)

    Registered PKI Security Domain Information:
    ======================================================
    Name:  pki-ca-ecc-08022013-1
    URL:   https://nocp4.dsdev.sjc.redhat.com:9445
    ======================================================


#--------------------------------------------------------#

1. Download Android SDK from below link
https://developer.android.com/sdk/index.html 

SDK: http://dl.google.com/android/android-sdk_r21.1-linux.tgz

#--------------------------------------------------------#

2. Extracted SDK on Red Hat Enterprise Linux Workstation release 6.3 (Santiago) 32 bit.

3. Install the below packages before starting to run android simulator:
yum install glibc.i686 ncurses-libs.i686 libstdc++.i686 libX11.i686 libXrandr.i686 SDL.i686

#--------------------------------------------------------#

4. Extract android-sdk_r21.1-linux.tgz
 From /home/test/android-sdk-linux/tools installed below Tools:

Android SDK tools
Android SDK Platform tools
Android 4.1.2 (SDK platfrom)
#--------------------------------------------------------#
5. Create virtual device image:
cd /home/test/android-sdk-linux/tools/
./android create avd -n cs8.1.2 -t 4

Auto-selecting single ABI armeabi-v7a
Created AVD 'cs8.1.2' based on Google APIs (Google Inc.), ARM (armeabi-v7a) processor,
with the following hardware config:
hw.lcd.density=240
vm.heapSize=48
hw.ramSize=512
#--------------------------------------------------------#

6. Start the Emulator 
$ cd /home/test/android-sdk-linux/tools/
$ ./emulator @cs8.1.2

#--------------------------------------------------------#

7. From the apps, select Browser and type the url " https://nocp4.dsdev.sjc.redhat.com:9444/ca/ee/ca" 
#--------------------------------------------------------#
8. A security Warning will be displayed , selected "Continue" 
#--------------------------------------------------------#
9. Select "SSL End User services"
#--------------------------------------------------------#
10. Select "Manual User Dual-Use Certificate Enrollment"
	i) Key Gen Request type: "keygen"
	ii)Key Generation Request: "High Grade"
	iii)uid: android-1, email: android-1@foobar.org
	iv) click on submit
#--------------------------------------------------------#
11. Request id:40000014 is returned
#--------------------------------------------------------#
12. Access " https://nocp4.dsdev.sjc.redhat.com:9443/ca/agent/ca" interface and approve the request id 40000014 
#--------------------------------------------------------#
13. From the EE page on the android browser, Click on Request id: 4000014" 	the status is shown as "Complete" with Issued certificate serial Number:0x31b60a14, 
#--------------------------------------------------------#
14. Access EE profile "Manual Dual-Use S/MIME Capabilities Certificate Enrollment" from the Android browser, , specify the details: 
uid=android-2, email:android-2@foobar.org, click on submit, 
#--------------------------------------------------------#
15. Request id:40000016 is returned
#--------------------------------------------------------#
16. Access " https://nocp4.dsdev.sjc.redhat.com:9443/ca/agent/ca" interface and approve the request id 40000016 
#--------------------------------------------------------#
17. From the EE page on the android browser, Click on Request id: 4000016" 	the status is shown as "Complete" with Issued certificate serial Number:0x34c840e3 
#--------------------------------------------------------#
Certificate issued sucessfully and No CA subsystem crash is seen.

#--------------------------------------------------------#

Note You need to log in before you can comment on or make changes to this bug.